Changes in HIPAA Regulations and Enforcement in 2018

What changes in HIPAA regulations could be expected in 2018? Are there new HIPAA regulations expected to be introduced? OCR Director Roger Severino has suggested there could be some HIPAA changes in 2018 and said HIPAA enforcement activities are unlikely to slow down.

The Trump administration introduced a policy that aims to reduce regulations in the U.S. because too much regulation hinders America’s economic development. Trump signed an executive order that requires two regulations to be eliminated for every new regulation that is introduced.

Though there was no specific mention of how this applies to healthcare law, the same rule will undoubtedly apply. Severino confirmed that there must be deregulation in certain areas before introducing new regulations at the HIMSS conference. Consequently, there is more likely to be be changes that see a reduction in administration burden before new requlations are introduced, although whether that happens in 2018 remains to be seen.

OCR is currently assessing current HIPAA regulations to determine whether facets of HIPAA Rules are still appropriate and is attempting to find areas where the administrative burden on healthcare providers can be eased. OCR is considering the benefit of different HIPAA provisions and weighing the benefits over the costs.

The main objectives of the HHS are minimizing the burden of compliance and simplifying regulations, which is likely to be achieved by removing obsolete limitations and regulations, eliminate any duplication, and assessing particularly bothersome requirements that now serve little purpose.

With regards to HIPAA enforcement activities in 2018, what can we expect? In 2016, HIPAA enforcement activities by OCR increased significantly. There were more settlements compared to other years since the signing of the HIPAA Enforcement Rule. OCR issued 12 settlements and one civil monetary penalty in 2016, with a further 9 settlements and one one civil monetary penalty in 2017.

Roger Severino’s presentation on HIPAA compliance at the HIMSS Conference 2018 included enforcement and policy news from the Office for Civil Rights. He confirmed OCR won’t stop pursuing settlements with HIPAA covered entities for egregious HIPAA rule violations and said not just the big healthcare companies that OCR will investigating. Smaller healthcare organizations that violate HIPAA Rules will also be held to account for HIPAA violations.

Severino also stated that, as much as possible, OCR wants to issue fewer financial penalties to covered entities, but healthcare organizations need to ensure they are in compliance with HIPAA Rules. So far in 2018, OCR has agreed to settle HIPAA violations with six healthcare organizations and has issued one civil monetary penalty.

Aside from OCR, state attorneys general also enforce HIPAA rules and issue fines for HIPAA violations. The New York Attoney General has fined EmblemHealth $575,000, Aetna $1,150,000, and the Arc of Erie County $200,000. New Jersey fined Virtua Medical Group $417,816 and Aetna $365,211. Massachusetts fined UMass Memorial Medical Center $230,000. Aetna was also fined $99,959 by Connecticut and $175,000 by the District of Columbia. Washington is also in the process of fining Aetna.

GDPR compliance is a top issue this 2018 among American healthcare companies and business associates that have patients, clients, or partners in Europe. These organizations have had to comply with the EU General Data Protection Regulation (GDPR) from May 25, 2018. Failure to comply with GDPR can result in a financial penalty of up to 20,000,000 Euros or 4% of the company’s yearly global revenues, whichever is bigger. The GDPR requirements and HIPAA Privacy and Security Rules requirements overlap in some aspects. This makes compliance with the GDPR easier for U.S. healthcare companies compared to other U.S. firms. Nevertheless, compliance with HIPAA does not guarantee compliance with GDPR.